On 14th September 2024, Saudi Arabia’s first ever data protection law will come into force. Organisations doing business in the Middle East need to carefully consider the impact of the new law on their personal data processing activities, as just like the GDPR, the KSA law has an extra territorial effect. The new law, alongside other Middle East countries new DP laws, presents a great opportunity for UK data protection professionals to use their skills and expertise to make an impact in the region.
Background
The Personal Data Protection Law (PDPL) of Saudi Arabia was implemented by Royal Decree on 14th September 2021. It aims to regulate the collection, handling, disclosure and use of personal data. It will initially be enforced by the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA) which has published the aforementioned regulations. PDPL was originally going to come fully into force on 23rd March 2022. However, in November 2022, SDAIA published proposed amendments which were passed after public consultation.
Following a consultation period, we also now have the final versions of the Implementing Regulations and the Personal Data Transfer Regulations; both expand on the general principles and obligations outlined in the PDPL (as amended in March 2023) and introduce new compliance requirements for data controllers.
More Information
Summary of the new law: https://actnowtraining.blog/2022/01/10/the-new-saudi-arabian-federal-data-protection-law/
Summary of the Regulations: https://actnowtraining.blog/2023/07/26/data-protection-law-in-saudi-arabia-implementing-regulation-published/
Action Plan
13th September 2024 is not far away. Work needs to start now to implement systems and processes to ensure compliance. Failure to do so could lead to enforcement action and also reputational damage. The following should be part of an action plan for compliance:
- Training the organisation’s management team to understand the importance of PDPL, the main provisions and changes required to systems and processes.
- Training staff at all levels to understand PDPL at how it will impact their role.
- Carrying out a data audit to understand what personal data is held, where it sits and how it is processed.
- Reviewing how records management and information risk is addressed within the organisation.
- Drafting Privacy Notices to ensure they set out the minimum information that should be included.
- Reviewing information security policies and procedures in the light of the new more stringent security obligations particularly breach notification.
- Draft policies and procedures to deal with Data Subjects’ rights particularly requests for subject access, rectification and erasure.
- Appointing and training a Data Protection Officer.
Opportunities for UK DP Professionals
Data Protection law in the Middle East has seen some rapid developments recently. The UAE recently enacted a federal law to comprehensively regulate the processing of personal data in all seven emirates. This will sit alongside current data protection laws regulating businesses in the various financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. In addition there are several sector specific laws in the UAE which address personal privacy and data security. Bahrain, Oman and Qatar also now have comprehensive data protection laws.
These developments present some great opportunities for UK data protection professionals. With many DPOs having worked to implement the GDPR over the past few years, their skills are now in high demand to assist Middle Eastern organisations in achieving compliance, enhancing data security practices, and fostering a culture of privacy protection in the region’s rapidly evolving digital ecosystem.
Act Now in Saudi Arabia
Act Now Training can help your businesses prepare for the new law.
We have delivered training extensively in the Middle East to a wide range of delegates including representatives of the telecommunications, legal and technology sectors. We have experience in helping organisations in territories where a new law of this type has been implemented.
Now is the time to train your staff in the new law. Through our KSA privacy programme, we offer comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses.
To help deliver this and other courses, Suzanne Ballabás, an experienced middle-east based data protection specialist, recently joined our team of associates. We can deliver Online or Face to Face training. All of our training starts with a FREE analysis call to ensure you have the right level and most appropriate content for your organisations needs. Please get in touch to discuss your training or consultancy needs.
Click on the Link Below to see our KSA Privacy Programme.
3 thoughts on “Saudi Arabia’s DP Law Coming Into Force Soon”